, SecurityFocus 2000-07-17
Kevin Mitnick phones in to HOPE 2000, where a "social engineering" demo reaches out to AT&T.
If you have a hard hat, a clipboard and you're wearing a suit, you can go anywhere.
Eric Corley, publisher of 2600 Magazine and organizer of the conference that began Friday and ended Sunday night, led a three-member panel that lectured two conference rooms stuffed with hackers, reporters and other attendees on the finer points of conning people into providing sensitive information over the phone. Corley, better known under the pen name Emmanuel Goldstein, opened the session with a live demonstration of the low-tech, but often effective skill known as "social engineering" in hacker and security circles.
Corley first read aloud an AT&T email that he'd obtained warning company employees about the conference in general, and the social engineering demonstration in particular. Then, with a telephone line piped into the conference center's loudspeaker system for all to hear, Corley called AT&T's security department, claimed to be a company employee named "Armand Goldstein," and inquired about the memo.
"You should definitely be careful about giving out information," said the AT&T employee, who identified himself as 'Jim.' "This weekend, what's happening is there's a conference going on, and they're giving a live demonstration," the worker explained to "Armand," i.e., Corley.
As the conversation progressed, Corley began pressing the AT&T employee to fax him a copy of the original email. About five minutes into the call, the security worker appeared to become suddenly suspicious, and asked "Armand" to repeat his full name. "I was just looking internally to see if you're on the email list here, and I don't see your name here," the worker said.
"No," Corley replied, "It's not likely you would."
"Uh, why is that?," the employee asked.
When Corley answered, "well, basically, we're making our first phone call --," the audience, which had been carefully silent, burst into thunderous cheers and applause, and the AT&T worker hung up the phone.
While the AT&T employee did not divulge any trade secrets, panel members shared stories about other experiences conning people, and offered the hackers in the audience some advice on social engineering their way into rock concerts and other events. "I've discovered that if you have a hard hat, a clipboard and you're wearing a suit, you can go anywhere," said Robert Lupo, known as "Virus" to other hackers. "I got into the pit at the Indianapolis 500 this year."
The panel also included veteran phone phreak Richard Cheshire, a.k.a. "The Cheshire Catalyst," former editor of "TAP."
Hacker Kevin Mitnick, who last week received permission from the U.S. Probation Office to write, speak and consult about computers, phoned into the session to offer his advice to the crowd. Mitnick, generally acknowledged to be a master of social engineering, told of obtaining unlisted telephone numbers by conning phone company employees, and emphasized the importance of subtlety in social engineering. "I don't think I've ever -- except on one or two occasions -- asked someone for their password," said Mitnick over the speaker system. "That's a big red flag."
To corporations who have to guard against such attacks, Mitnick suggested taping incoming telephone calls, and notifying callers of the monitoring with a recorded message. He also said he favored employee training programs. "It's all about raising their level of awareness."